News and Notes from the Makers of Nexus | Sonatype Blog

New Sonatype Repository Firewall release with developer-first enhancements

Written by Chris Good | November 16, 2021

Due to an increase in large-scale attacks focused on developers, it's crucial for businesses to secure their software development life cycle (SDLC).

Addressing risk

Companies are waking up to software supply chain issues. With the SolarWinds breach for example, malicious code was inserted along the build process for their Orion product. This resulted in deploying malicious, trojanized updates to roughly 18,000 SolarWinds customers. This update was carried downstream to impact a significantly larger attack surface than anyone anticipated. Being able to combat these modern-day attacks is becoming increasingly difficult, as bad actors are getting more sophisticated and targeting developers now more than ever.

Similarly, bad actors are targeting vulnerable packages that developers bring into their organization. As a result, it's important to understand how often this risk occurs. It is common in the npm ecosystem for developers to specify a range of versions that is resolved to the latest one within the version range. Malware authors depend on this, knowing that their harmful software will be downloaded almost immediately.

Another frequent offense is the dependency confusion attack, AKA "namespace confusion attack." In it, a developer is tricked into pulling malicious packages from an open source public repository, like npm or Maven Central, rather than the intended file with the similar or same name from their local repository. The package could have the same exact name, but when presented with the option to pick between two identical package names, package installers will pick the one with the highest version number. Thus, downloading the "newer," malicious package from the bad actor, and consequently putting their entire organization at risk.

To help combat these issues and more, Sonatype added Release Integrity to Sonatype Repository Firewall earlier this year. The Release Integrity (RI) Score is a concept generated from our artificial intelligence / machine learning (AI/ML)-powered automated malware detection system in our Sonatype Repository Firewall offering. It's a first-of-its-kind early warning system to automatically identify and block next-gen software supply chain attacks, such as typosquatting and malicious code injection.

Pushing the needle further with automatic component management

New to Sonatype Repository Firewall, we introduced policy-compliant component selection, which will automatically return the latest version of a program that fits within customizable standards. When attempting to download the latest version of a package from a registry, if the latest package has not already been scanned, the package will be evaluated. This analysis is based on your own custom policies, including common risk factors like popularity, licensing credentials, and known and unknown vulnerabilities.

As soon as Sonatype Repository Firewall flags a package or a dependency as "suspicious" using the Release Integrity feature, it undergoes a quarantine queue for manual review by the Sonatype Security Research Team. Existing components will be quarantined before they are pulled "downstream" into a developer's open source build environment. Once the component or package is deemed safe, it will be released back into the development pipeline.

Sonatype Repository Firewall evaluation process

If the latest version is not policy compliant, such as pending evaluation or has suspicious properties, we automatically revert to the best-known version. Once the latest version becomes compliant, it is returned automatically without any effort on the developer's part.

Improve developer productivity

Developers can waste time going back and forth to find the latest version that’s safe and secure. It's tedious and expensive to manually release components and packages, while also keeping track of status changes. With this feature, you can help your organization secure its software supply chain.

We are incredibly excited about this new feature directly affecting development security and efficiency. Read more on how to implement Policy Compliant Component Selection.